<p>Using sockets is security-sensitive. It has led in the past to the following vulnerabilities:</p>
<ul>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1785">CVE-2011-178</a> </li>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645">CVE-2017-5645</a> </li>
  <li> <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6597">CVE-2018-6597</a> </li>
</ul>
<p>Sockets are vulnerable in multiple ways:</p>
<ul>
  <li> They enable a software to interact with the outside world. As this world is full of attackers it is necessary to check that they cannot receive
  sensitive information or inject dangerous input. </li>
  <li> The number of sockets is limited and can be exhausted. Which makes the application unresponsive to users who need additional sockets. </li>
</ul>
<p>This rules flags code that creates sockets. It matches only the direct use of sockets, not use through frameworks or high-level APIs such as the
use of http connections.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> sockets are created without any limit every time a user performs an action. </li>
  <li> input received from sockets is used without being sanitized. </li>
  <li> sensitive data is sent via sockets without being encrypted. </li>
</ul>
<p>You are at risk if you answered yes to any of these questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<ul>
  <li> In many cases there is no need to open a socket yourself. Use instead libraries and existing protocols. </li>
  <li> Encrypt all data sent if it is sensitive. Usually it is better to encrypt it even if the data is not sensitive as it might change later. </li>
  <li> <a href="https://www.owasp.org/index.php/Input_Validation_Cheat_Sheet">Sanitize</a> any input read from the socket. </li>
  <li> Limit the number of sockets a given user can create. Close the sockets as soon as possible. </li>
</ul>
<h2>Sensitive Code Example</h2>
<pre>
// === java.net ===
import java.net.Socket;
import java.net.InetAddress;
import java.net.Proxy;
import java.net.ServerSocket;
import javax.net.SocketFactory;

class A {
    void foo(SocketFactory factory, String address, int port, InetAddress localAddr, int localPort, boolean stream,
            String host, Proxy proxy, int backlog, InetAddress bindAddr)
            throws Exception {
        new Socket(); // Sensitive.
        new Socket(address, port); // Sensitive.
        new Socket(address, port, localAddr, localPort); // Sensitive.
        new Socket(host, port, stream); // Sensitive.
        new Socket(proxy); // Sensitive.
        new Socket(host, port); // Sensitive.
        new Socket(host, port, stream); // Sensitive.
        new Socket(host, port, localAddr, localPort); // Sensitive.

        new ServerSocket(); // Sensitive.
        new ServerSocket(port); // Sensitive.
        new ServerSocket(port, backlog); // Sensitive.
        new ServerSocket(port, backlog, bindAddr); // Sensitive.

        factory.createSocket(); // Sensitive
    }
}

abstract class mySocketFactory extends SocketFactory { // Sensitive. Review how the sockets are created.
    // ...
}
</pre>
<pre>
// === java.nio.channels ===
import java.net.SocketAddress;
import java.nio.channels.AsynchronousChannelGroup;
import java.nio.channels.AsynchronousServerSocketChannel;
import java.nio.channels.AsynchronousSocketChannel;
import java.nio.channels.SocketChannel;
import java.nio.channels.ServerSocketChannel;

class A {
    void foo(AsynchronousChannelGroup group, SocketAddress remote) throws Exception {
        AsynchronousServerSocketChannel.open(); // Sensitive.
        AsynchronousServerSocketChannel.open(group); // Sensitive.
        AsynchronousSocketChannel.open(); // Sensitive.
        AsynchronousSocketChannel.open(group); // Sensitive.
        SocketChannel.open(); // Sensitive.
        SocketChannel.open(remote); // Sensitive.
        ServerSocketChannel.open(); // Sensitive.
    }
}
</pre>
<pre>
// === Netty ===
import io.netty.channel.ChannelInitializer;
import io.netty.channel.socket.ServerSocketChannel;
import io.netty.channel.socket.SocketChannel;

class CustomChannelInitializer extends ChannelInitializer&lt;ServerSocketChannel&gt; { // Sensitive. Review how the SocketChannel is used.
    @Override
    protected void initChannel(ServerSocketChannel ch) throws Exception {
    }
}

class A {
    void foo() {
        new ChannelInitializer&lt;SocketChannel&gt;() {  // Sensitive
            @Override
            public void initChannel(SocketChannel ch) throws Exception {
                // ...
            }
        };
    }
}
</pre>
<h2>See</h2>
<ul>
  <li> <a href="https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure">OWASP Top 10 2017 Category A3</a> - Sensitive Data Exposure
  </li>
  <li> <a href="http://cwe.mitre.org/data/definitions/20">MITRE, CWE-20</a> - Improper Input Validation </li>
  <li> <a href="http://cwe.mitre.org/data/definitions/400">MITRE, CWE-400</a> - Uncontrolled Resource Consumption ('Resource Exhaustion') </li>
  <li> <a href="http://cwe.mitre.org/data/definitions/200">MITRE, CWE-200</a> - Information Exposure </li>
  <li> <a href="https://www.sans.org/top25-software-errors/#cat2">SANS Top 25</a> - Risky Resource Management </li>
  <li> <a href="https://www.sans.org/top25-software-errors/#cat3">SANS Top 25</a> - Porous Defenses </li>
</ul>

